SWNEpisode25

From Security Weekly Wiki
Jump to navigationJump to search

Security Weekly News Episode 25 - 2020-04-14

Episode Audio

Security Weekly News Episode 25

Announcements

Fullaudio - None

Description:

This week on the Security Weekly News, Checkpoint Global Threat Index moved Dridex to third place, Dutch Telco towers damaged by 5G protestors, CyberCube reports indicate Increased targeting of C-Suite employees, Cybercrime may be the world's third-largest economy by 2021, and Jason Wood joins for the Expert Commentary on how WooCommerce Falls to Fresh Card-Skimmer Malware!

Visit https://www.securityweekly.com/swn for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly



Doug White's Content:

Doug White-0.png


Template:SWN25FullaudioDoug White

Jason Wood's Content:

Jason WOod-0.jpg


Template:SWN25FullaudioJason Wood


News - Zombieware, 5G Conspiracies, & C-Suite Targets

Description:

This week on the Security Weekly News, Checkpoint Global Threat Index moved Dridex to third place, Dutch Telco towers damaged by 5G protestors, CyberCube reports indicate Increased targeting of C-Suite employees, Cybercrime may be the world's third-largest economy by 2021, and Jason Wood joins for the Expert Commentary on how WooCommerce Falls to Fresh Card-Skimmer Malware!



Doug White's Content:

Doug White-0.png


  1. Checkpoint Global Threat Index moved Dridex to third place.
  2. Dutch Telco towers damaged by 5G protestors.
  3. Why are people so scared of 5G?
  4. 5G Conspiracy Theories
  5. The long history of 5G Conspiracies.
  6. CyberCube reports indicate Increased targeting of C-Suite employees.
  7. Over 500k Zoom accounts reportedly for sale, cheap, on the dark web.
  8. Increased Vulnerability of Work at Home workers and many open TCP/3389 ports.
  9. Cybercrime may be the world's third-largest economy by 2021.
  10. Jim and Tom put 30 Million into Beyond Identity to get rid of passwords.
  11. Sophos releases Sandboxie in Open Source.
  12. CyberX Mitre ATT@CK and ICS Paper.
  13. Australia cracks down hard on old Facebook photos of people having fun outdoors.

Jason Wood's Content:

Jason WOod-0.jpg


Threatpost - WooCommerce Falls to Fresh Card-Skimmer Malware


Sucuri - Analysis of a WordPress Credit Card Swiper

A few days ago Threatpost published an article about a card skimmer that is targeting WooCommerce running in WordPress sites. The analysis documented in this post actually comes from Ben Martin, a security researcher for Sucuri. The links for both are in the show notes. The payment card stealing malware is written in JavaScript and it put a new twist into stealing card data. This card skimmer doesn’t modify WooCommerce nor does it exploit a vulnerability in the plugin. Instead, it modifies two core WordPress files, that then perform the data theft. So to repeat, there’s no known vulnerability in WooCommerce itself that’s being targeted. So if that’s not the case, then how does this attack work? Let’s take a look.

First, the attacker compromises the victim WordPress site. This could be through a brute force attack on credentials or exploiting some other vulnerable plugin installed on the site. Once the attacker has admin access to the WordPress site, they modify two files in WordPress core. These files are ./wp-includes/js/jquery/jquery.js and ./wp-includes/functions.php. The modification to ./wp-includes/functions.php requires a new PHP file that is added by the attacker named ./wp-includes/rest-api/class-wp-rest-api.php. In the jquery.js file, the attacker adds there code towards the end of the file, just before the ending jQuery.noConflict() method. This code copies the credit card information, including the CVV into plain text cookies. The added code is not easy to spot manually. Ben discovered the code when running an integrity check of the WordPress files. Then he had to find it in the minified JavaScript file.

Now that the attacker has the card information stored in cookies, they have to save this off for collection. They do that through the modified class-wp-rest-api.php file. This file has more obvious signs of tampering and is consistent with other PHP malware. A number of encoding and concatenation methods are used to hide what the code is actually doing. If you are familiar with reversing this type of code, then it will scream malicious at you. If a basic website owner runs into it, they won’t know what to make of it. It turns out the code takes the data stored in the cookies (presumably in a subsequent web request) and writes the data to two image files in ./wp-content/uploads. The attacker can then collect that data from the images. Interestingly enough, the data was already zeroed out of the images that Ben was examining. He suspects the malware is automatically clearing the files after the data has been collected by attackers.

Now one of the problems here is that fixing the attack isn’t as simple as updating WooCommerce. There’s nothing to update and there’s nothing WooCommerce can do here. It’s dependent on WordPress to run and that’s where the code is injected; in WordPress itself. Ben makes the suggestion that WordPress site owners make a modification to wp-config.php to prevent editing of files in wp-admin using the WordPress interface. You can do this by adding the line “define(‘DISALLOW_FILED_EDIT’, true);” to your wp-config.php file to limit compromised admin accounts from editing source code.

If the attack occurred due to a compromised SFTP, FTP, or other hosting password, then victims will need to change those passwords. A defense that should be employed on all sites is that of file integrity monitoring. Both to monitor files for unexpected changes and to compare core WordPress files to the deployed version. That deployed version should be the current version of course, because we also update our code to the latest release to avoid vulnerabilities slipping into our WordPress sites. Right? The same goes for plugins.

All in all, this was an interesting read. If you are concerned about this attack or are just interested in an analysis of a compromised web site, then check out the original posts. Both the link to the Sucuri blog and Threatpost are in the show notes for today’s episode.